Digital Cash Mini-FAQ

I recently wrote a description of digital cash for Tom Steinert-Threlkeld,
Technology Writer for the Dallas Morning News. I figured I might as well
post it here in case there are any newbies that are still coming up to
speed. Keep in mind that my intended audience is a person who is in touch
with the latest commercially available technology, but is not an engineer,
mathematician, or scientist. I've intentionally generalized and
oversimplified the descriptions to keep from getting bogged down in the
details. If I've made any gross errors let me know, but I think most of
the information is accurate.

Q: How is digital cash possible?

A: Public-key cryptography and digital signatures (both blind and
non-blind signatures) make digital cash possible. It would take too long
to go into detail how public-key cryptography and digital signatures work.
But the basic gist is that banks and customers would have public-key
encryption keys. Public-key encryption keys come in pairs. A private key
known only to the owner, and a public key, made available to everyone.
Whatever the private key encrypts, the public key can decrypt, and vice
verse. Banks and customers use their keys to encrypt (for security) and
sign (for identification) blocks of digital data that represent money
orders. A bank "signs" money orders using its private key and customers
and merchants verify the signed money orders using the bank's widely
published public key. Customers sign deposits and withdraws using their
private key and the bank uses the customer's public key to verify the
signed withdraws and deposits.

Q: Are there different kinds of digital cash?

A: Yes. In general, there are two distinct types of digital cash:
identified digital cash and anonymous digital cash. Identified digital
cash contains information revealing the identity of the person who
originally withdrew the money from the bank. Also, in much the same
manner as credit cards, identified digital cash enables the bank to track
the money as it moves through the economy. Anonymous digital cash works
just like real paper cash. Once anonymous digital cash is withdrawn from
an account, it can be spent or given away without leaving a transaction
trail. You create anonymous digital cash by using numbered bank accounts
and blind signatures rather than fully identified accounts and non-blind
signatures.

[To better understand blind signatures and their use with digital cash, I
highly recommend skimming through chapters 1 - 6 of Bruce Schneier's book
_Applied Cryptography_ (available at Taylor's Technical Books). It is
quite readable, even to the layman. He doesn't get into the heavy-duty
math until later in the book. Even if you don't write a digital cash
column in the near future, I still recommend reading through chapters 1 -
6 of _Applied Cryptography_. Bruce does a very good job of describing the
wide variety of interesting things you can do when you combine computers,
networks, and cryptography.]

There are two varieties of each type of digital cash: online digital cash
and offline digital cash. Online means you need to interact with a bank
(via modem or network) to conduct a transaction with a third party.
Offline means you can conduct a transaction without having to directly
involve a bank. Offline anonymous digital cash is the most complex form
of digital cash because of the double-spending problem.

Q: What is the double-spending problem?

A: Since digital cash is just a bunch of bits, a piece of digital cash is
very easy to duplicate. Since the copy is indistinguishable from the
original you might think that counterfeiting would be impossible to
detect. A trivial digital cash system would allow me to copy of a piece
of digital cash and spend both copies. I could become a millionaire in a
matter of a few minutes. Obviously, real digital cash systems must be
able to prevent or detect double spending.

Online digital cash systems prevent double spending by requiring merchants
to contact the bank's computer with every sale. The bank computer
maintains a database of all the spent pieces of digital cash and can
easily indicate to the merchant if a given piece of digital cash is still
spendable. If the bank computer says the digital cash has already been
spent, the merchant refuses the sale. This is very similar to the way
merchants currently verify credit cards at the point of sale.

Offline digital cash systems detect double spending in a couple of
different ways. One way is to create a special smart card containing a
tamper-proof chip called an "Observer" (in some systems). The Observer
chip keeps a mini database of all the pieces of digital cash spent by that
smart card. If the owner of the smart card attempts to copy some digital
cash and spend it twice, the imbedded Observer chip would detect the
attempt and would not allow the transaction. Since the Observer chip is
tamper-proof, the owner cannot erase the mini-database without permanently
damaging the smart card.

The other way offline digital cash systems handle double spending is to
structure the digital cash and cryptographic protocols so the identity of
the double spender is known by the time the piece of digital cash makes it
way back to the bank. If users of the offline digital cash know they will
get caught, the incidents of double spending will be minimized (in
theory). The advantage of these kinds of offline systems is that they
don't require special tamper-proof chips. The entire system can be
written in software and can run on ordinary PCs or cheap smart cards.

It is easy to construct this kind of offline system for identified digital
cash. Identified offline digital cash systems can accumulate the complete
path the digital cash made through the economy. The identified digital
cash "grows" each time it is spent. The particulars of each transaction
are appended to the piece of digital cash and travel with it as it moves
from person to person, merchant to vender. When the cash is finally
deposited, the bank checks its database to see if the piece of digital
cash was double spent. If the digital cash was copied and spent more than
once, it will eventually appear twice in the "spent" database. The bank
uses the transaction trails to identify the double spender.

Offline anonymous digital cash (sans Observer chip) also grows with each
transaction, but the information that is accumulated is of a different
nature. The result is the same however. When the anonymous digital cash
reaches the bank, the bank will be able to examine it's database and
determine if the digital cash was double spent. The information
accumulated along the way will identify the double spender.

The big difference between offline anonymous digital cash and offline
identified digital cash is that the information accumulated with anonymous
digital cash will only reveal the identity of the spender if the cash is
double spent. If the anonymous digital cash is not double spent, the bank
can not determine the identity of the original spender nor can it
reconstruct the path the cash took through the economy.

With identified digital cash, both offline or online, the bank can always
reconstruct the path the cash took through the economy. The bank will
know what everyone bought, where they bought it, when they bought it, and
how much they paid. And what the bank knows, the IRS knows.

By the way, did you declare that $20 bill your Grandmother gave you for
your birthday? You didn't? Well, you wont have to worry about forgetting
those sorts of things when everybody is using fully identified digital
cash. As a matter of fact, you wont even have to worry about filing a tax
return. The IRS will just send you a bill.